<p>Because it is easy to extract strings from an application source code or binary, passwords should not be hard-coded. This is particularly true for
applications that are distributed or that are open-source.</p>
<p>In the past, it has led to the following vulnerabilities:</p>
<ul>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466">CVE-2019-13466</a> </li>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389">CVE-2018-15389</a> </li>
</ul>
<p>Passwords should be stored outside of the code in a configuration file, a database, or a password management service.</p>
<p>This rule flags instances of hard-coded passwords used in database and LDAP connections. It looks for hard-coded passwords in connection strings,
and for variable names that match any of the patterns from the provided list.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The password allows access to a sensitive component like a database, a file storage, an API, or a service. </li>
  <li> The password is used in production environments. </li>
  <li> Application re-distribution is required before updating the password. </li>
</ul>
<p>There would be a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
  <li> Store the credentials in a configuration file that is not pushed to the code repository. </li>
  <li> Store the credentials in a database. </li>
  <li> Use your cloud provider’s service for managing secrets. </li>
  <li> If a password has been disclosed through the source code: change it. </li>
</ul>
<h2>Sensitive Code Example</h2>
<pre>
String username = "steve";
String password = "blue";
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
                  "user=" + uname + "&amp;password=" + password); // Sensitive
</pre>
<h2>Compliant Solution</h2>
<pre>
String username = getEncryptedUser();
String password = getEncryptedPassword();
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
                  "user=" + uname + "&amp;password=" + password);
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
  Authentication Failures </li>
  <li> <a href="https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication">OWASP Top 10 2017 Category A2</a> - Broken Authentication
  </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
  <li> <a href="https://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
  <li> <a href="https://wiki.sei.cmu.edu/confluence/x/OjdGBQ">CERT, MSC03-J.</a> - Never hard code sensitive information </li>
  <li> Derived from FindSecBugs rule <a href="https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD">Hard Coded Password</a> </li>
</ul>

